Posted: 13 Mar. 2020 10 min. read

Navigating the changing open banking landscape – where to from here?


We are now in the thick of Open Banking implementation.  As the new regime evolves, changes and tactical improvements are continuously emerging. Since December 2019, we've seen: 

  • delays in the implementation timeline
  • release of the CDR Rules
  • release of the CDR Privacy Safeguard guidelines
  • release of version 1.2 of the API standards
  • release of ACCC consultation papers on facilitating participation of intermediaries and on the timetable for participation of non-major ADIs.

Here's a quick summary of what you need to consider if you are a participant or potential participant in Open Banking in Australia.

Timeline

The most significant change to the timeline has been the five-month delay in consumer data sharing by the major banks from February 2020 to 1 July 2020 with non-major ADIs to share consumer data from January 2021.

However, the announcement of these changes was soon followed by the release by the ACCC of a consultation paper on further changes to the timing for non-major ADIs. The consultation paper proposes that the start date for consumer data sharing by non-major ADIs be delayed from January 2021 to July 2021. However, it also proposed that the all three product phases are launched together. 

It is also important to note that there is no proposed change to the compliance date of 1 July 2020 for Product Reference Data sharing. All non-major bank ADIs should be ensuring that they’re on track to meet these requirements which are now just a few months away.

CDR regulatory framework

In February 2020, two important regulatory documents were published:  Competition and Consumer (Consumer Data Right) Rules and the CDR Privacy Safeguard Guidelines. Both are substantial documents running to over 200 pages each and give the industry two key anchor points in designing compliant Open Banking solutions. The challenge for all participants is the sheer volume of new regulation and the comprehensive nature of the privacy guidelines reflecting the importance that the regulators place on protecting consumers data in this regime.

These followed the release in January 2020, by Data61 of version 1.2 of the Consumer Data Standards and associated CX Standards and Guidelines. This release is the binding baseline of the CDR regime and provides some certainty for the implementations of APIs by both Data Holders and Accredited Data Recipients.

Organisations should have in place a compliance program which enables them to provide evidence of how they comply with the new obligations set out in the CDR legislative framework – the legislation, CDR Rules, CDR standards and designation instruments. Staying current will provide an ongoing challenge for corporate risk committees to ensure participants remain compliant as the framework evolves.

The next phase - new classes of data recipients

At the end of December 2019, the ACCC issued a consultation paper on amending the CDR Rules to facilitate participation of intermediaries ─ third party service providers that collect or facilitate the collection of CDR data from data holders on behalf of accredited persons. The ACCC expects to consult as early as March 2020 on draft rules that could expand the secure access to CDR data to organisations that do not have the resources to become an unrestricted Accredited Data Recipient.

In January 2020 the Treasurer announced an inquiry into the future directions of the CDR to be led by Scott Farrell, the author of the original paper on open banking in Australia. The terms of reference include expansion of the functionality of the CDR including an examination of write access (read about payments initiation and our thoughts on this topic here) and enablement of efficient switching between products. An issues paper was released on 6 March 2020 with submissions due by 23 April 2020 and a report expected around September 2020.

Finally, the Terms of Reference for the Senate Select Committee on FinTech and RegTech include a review of the relative cost of CDR accreditation compared to ‘screen scraping’; the extension of the CDR to include ‘write access’; and sharing know your customer (KYC) verification records.

Some submissions to the Committee put forward the view that the CDR regime is too costly to implement for FinTechs and the rules should be relaxed. Other submissions, including from privacy advocates, argue equally robustly that privacy and security standards should be maintained or strengthened.

The original Farrell Review had highlighted the importance of building consumer trust in data sharing, which made robust accreditation and privacy requirements important.  The Review proposed that tiered accreditation, along with other enhancements such as write access, should be considered only after open banking was successfully implemented.

Are you prepared?

The introduction of a new regulatory regime is often challenging and the CDR is one of the more complex recent changes, impacting first banking, with other industries such as energy and telecommunications to follow.

Participants need to stay across the changing regulatory landscape to ensure they remain compliant while also architecting their policies, processes and systems in a flexible manner to avoid expensive re-work as the rules and standards evolve.

Some questions worth asking:

  • How will I ensure that I comply with over 160 regulatory obligations?
  • How will I ensure that I remain compliant as the legislative framework evolves?
  • Should I become an Accredited Data Recipient now, or should I plan to access data via an intermediary when that becomes possible?
  • As a non-major ADI, should I commence my platform build now, or implement a tactical solution for Product Reference Data in July to allow a more considered build process?
  • Will my open banking platform support write capability in the future without a complete re-design?

Closing thoughts

Complying with the new regulatory obligations will be a challenge for many organisations. Deloitte has developed an Open Data Obligations Tool to help clients efficiently evaluate their compliance with the obligations set out in the CDR legislative framework and to track gaps dynamically as change occurs. 

Deloitte also has a range of Open Banking related services which can help organisations across a range of areas which impact their businesses: regulatory compliance, privacy, and information security; credit risk and strategic pricing; data governance, architecture and analytics; the development of open data platforms and APIs; and the creation of new customer propositions or business strategy.

Reach out if you need assistance on anything to do with open banking and the CDR.

Written by David Giddy an ex-Principal of Deloitte. Any questions, please contact Tim Ellis.

More about the authors

David Giddy

David Giddy

Principal, Payments Advisory, Audit & Assurance

David is a Principal in our Melbourne office within Deloitte’s Australian Payments Advisory practice. His 30 years industry experience have focused on technology, product development and management, with a particular focus on Payments and Transaction Solutions. Key areas of expertise include Open Banking assurance and propositions, strategy development and execution across areas such as cards, mobile, new products and digital payments.

Richard Miller

Richard Miller

Partner, Financial Services

Richard leads Deloitte's Financial Services Payments practice nationally. He has 20 years experience working with start-ups, payments service providers and financial institutions on strategy development and execution. He has helped organisations across North America and Asia Pacific with projects relating to cards, mobile banking, M&A, regulation, process improvement, EMV, new product development and digital/mobile payments.

.

Tim Ellis

Tim Ellis

Director, Payments Assurance and Advisory

Tim is a Director in Deloitte’s Payments Advisory Practice based in Sydney with over 10 years of professional services experience. Tim is a Payments specialist focused on the delivery of client-centric solutions through strategy and implementation projects. Tim’s technology background, combined with strong business acumen and consulting experience, enables him to bridge the gap between technical and commercial considerations to deliver tangible value for clients. Tim leads Deloitte’s Open Banking assurance services, helping clients define their strategic intent, assess their readiness and roadmap for compliance, and develop commercial use cases. Tim is the owner of Deloitte's proprietary Open Data Obligations Register that helps clients accelerate their Open Banking programs.

Rajat Jain

Rajat Jain

Director, Payments Advisory, Audit & Assurance

Rajat is a senior director and national leader for our Payments Advisory practice. Rajat and his team have a unique sectoral focus to help our clients with their most demanding payments problems – from developing and executing business, customer and product strategies to navigating conduct and compliance complexity and modernising corporate and government payment operations. Their areas of expertise include consumer and corporate cards, open and closed loop payments networks, buy-now-pay-later solutions, merchant acquiring (online and in-store POS), payments systems regulations, real-time payments and Open Banking.